
89 Page 2 of 28 R. Rios, J.A. Montenegro
verification operations dominate cryptographic overhead,
while certain post-quantum KEMs (e.g., ML-KEM)intro-
duce minimal latency. In contrast, hybrid and HQC-based
solutions significantly increase handshake duration, par-
ticularly on ARM platforms. This multi-layer evaluation
demonstrate that performance rankings can shift dramati-
cally when primitives are embedded in real-world contexts,
with some signature schemes introducing notable overheads.
These findings underscore the critical need for system-level
evaluations to guide the practical adoption of post-quantum
cryptography.
The structure of this paper is organized as follows. Sec. 2
analyzes related work and positions our main contributions.
Sec. 3presents our evaluation setup, including the selec-
tion of cryptographic primitives, protocols, and applications
selected for evaluation, as well as the details of evaluation
framework for performance assessment at different layers of
the communication stack. Sec. 4,5and Sec. 6present our
performance analysis at the primitive, TLS handshake, and
VPN application levels, respectively. Sec. 7discusses the key
cases in our work. Finally, Sec. 8concludes with key findings
and outlines future research directions.
2 Related Work
The development of PQC algorithms has been an active area
of research, particularly after the announcement of the NIST
competition in 2016 [2]. Several works have focused on the
analysis of these algorithms from a security perspective (e.g.,
[5,6]) while others have concentrated on their applicability
and cost.
Some authors have focused on benchmarking different
aspects of PQC algorithms. For example, an extensive com-
pilation of performance metrics across various families of
algorithms is presented in [7]. Other works have analyzed
the energy consumption of these algorithms [8]. In particular,
some studies have examined their suitability for power-
constrained scenarios, such as the Internet of Things [9].
Similarly, other authors have worked on the optimization and
benchmarking of PQC algorithms. For instance, Dang et al.
[10] implemented three lattice-based KEMs from the second
round of the NIST PQC standardization process, showing that
hardware acceleration can substantially improve their execu-
tion times. In [11], two competition finalists—one KEM and
one signature scheme—are benchmarked on a cryptoproces-
sor optimized for their execution.
The integration of post-quantum KEMs and digital sig-
natures into security protocols has also been extensively
studied. Notably, [12] evaluates NIST signature algorithm
candidates at that time and investigates the latency they
impose on TLS 1.3 connection establishment. [13] goes
one step further and analyzes the impact of both several
post-quantum key encapsulation and signature algorithms in
TLS. In [14], the authors devise a modular framework to
evaluate the impact of integrating post-quantum and hybrid
cryptographic primitives in the TLS protocol under various
network conditions. Similarly, [15] presents an evaluation
across three security levels, based on the traditional and
post-quantum candidate algorithms available at the time
of the study. Their work includes a breakdown of library-
level computational workload, highlighting an increased
CPU usage at the protocol level, but without a detailed
analysis of the underlying cryptographic primitives. Inter-
estingly, Farooq et al. [16] observed that some KEMs in
TLS implementations— particularly BIKE and Classic
McEliece—performed better on Linux platforms than
on Windows on x86 systems. Additionally, the authors in
[17] focus on analyzing vectorized instruction sets on x86
platforms, demonstrating performance improvements over
non-vectorized implementations. However, these improve-
ments are not reflected when integrated into the TLS protocol.
That work conducts a two-level analysis, whereas our study
performs a three-level analysis across two different plat-
forms.
Some works have also investigated the impact of integrat-
ing PQC algorithms in virtual private network applications.
[18] evaluated the number of CPU instructions of sev-
eral post-quantum cryptography from the NIST competition
in OpenVPN and HTTPS. Similarly, [19] compared exe-
cution time of OpenVPN with traditional RSA and with
Dilithium. Paquin et al. [20]havealsoworkedonthe
integration of PQC algorithms into the OpenVPN protocol.
Some authors have focused on different types of VPN. For
example, Bae et al. [21] evaluate the execution speed of
PQC algorithms from NIST Round 3 finalists into IPSec.
Wireguard VPNs have also received attention lately [22,
23].
The analysis of the literature reveals that the performance
of PQC algorithms is influenced by hardware platform;
however, most works tend to focus on a single platform.
In general, research also tends to concentrate on a sin-
gle layer of the protocol stack and does not trace the
impact of these algorithms across multiple layers. In con-
trast, our analysis is not only multi-layered but also considers
two widely used hardware architectures. Additionally, we
focus on standardized PQC algorithms or those recently
selected for standardization. Compared to our previous
work [14], this study extends the analysis by incorporat-
ing performance comparisons across CPU architectures and
evaluating the latest PQC standards. Most notably, it intro-
duces an additional layer of complexity to the assessment
of PQC impact on network protocols, namely the VPN
layer.
123